This talk will present the overall security architecture offered by Sybase's flagship enterprise-class RDBMS engine, Adaptive Server Enterprise (ASE). Some of the topics covered are traditional database access control features, such as login- and role-based permissions enforcement. Identification and authentication mechanisms (table-based, LDAP, PAM, Kerberos), object level security, row-level access controls, securing data at rest and in motion (Encryption/SSL), and auditing mechanisms will be discussed. Column-level encryption, the latest feature offering in the palette of security solutions will be further discussed in detail.
The Encrypted Columns technology provides a column based encryption strategy to protect sensitive user data. This solution requires no application changes, and hence is very easy to deploy in complex database installations. Native to the database, it removes cumbersome key generation/management responsibilities from the application developer. The new, grantable decrypt permission further protects access to sensitive data. The encrypted data can be migrated/replicated in encrypted form. Industry standard AES is used for encrypting the data with support for 128, 192 and 256-bit keys. The talk will be followed by a demo of the encrypted columns feature to highlight its ease-of-use and rollout without any application changes.
Security is one of the key concerns of wireless LANs (WLANs) since their very inception. Several Cryptographic techniques have been proposed to provide security to WLANs. Examples include the (in)famous Wired Equivalent Privacy (WEP) protocol and some of the recent proposals such as WiFi Protected Access (WPA) and IEEE 802.11i. In this talk, we briefly present the operational details, strengths and weaknesses of the above techniques. Finally, we argue that such cryptographic techniques, at best, can provide security to communication that involves authorized devices only. Cryptography cannot solve a new set of threats that arise due to unauthorized devices (e.g., Rogue APs, client mis-associations, denial-of-service attacks, ah hoc connections etc.). Such threats can be handled by a Wireless Intrusion Prevention System (WIPS).
There is an ever increasing need for building cost effective and secure DMZs (DeMilitarized Zones). LARTC (Linux Advanced Routing and Traffic Control) coupled with IPtables enables us to build custom and scalable DMZs. Here, initially we shall provide a step-by-step introduction to LARTC and its capabilities. Then we will touch upon the fundamentals of DMZ design, configuration and specification. We will explain advanced routing features like, multipart default routes, dead gateway detection, alternative routes, ARP filtering, etc. A brief discussion on using LARTC in conjunction with Heartbeat(Linux-HA) to build multihomed and high-availability edge routers will be presented. Lastly, We shall demonstrate an actual full-scale solution implemented using LARTC and Linux-HA for the IIT-Bombay campus network. IIT-Bombay campus network serves more than seven thousand users.
Current day database applications, with large numbers of users, require fine-grained access control mechanisms, at the level of individual tuples, not just entire relations/views. Unfortunately, standard SQL does not have a way to specify such access control, and most database systems cannot handle thousands of users, let alone millions for Web scale applications. Fine-grained access control is therefore typically enforced in the application code. This approach has numerous drawbacks, such as difficulty of management, and lack of transparency, which can be avoided by devising mechanisms for specifying/enforcing fine-grained access control at the database level.
In recent years, there has been a fair amount of research in this area, and several database products, such as Oracle and Sybase, have incorporated forms of fine-grained access control. In this talk we present an overview of fine-grained access control in databases. We concentrate on conceptual issues, which apply across different products.
A PKI (public key infrastructure) enables users of a basically unsecure public network such as the Internet to securely and privately exchange data and money through the use of a public and a private cryptographic key pair that is obtained and shared through a trusted authority. A public-private key cryptography system allows for users to more easily integrate the use of encryption in their daily tasks, such as electronic mail protection and authentication, and protecting files stored on a computer. In such cases the bigger question is how do we ensure that the given public key that I have obtained actually belongs to the intended person.
One of the affordable solution is the Web of Trust(WoT) where there is no central authority and the users certify each other. The two algorithms followed in practice are PGP (Pretty Good Privacy) and GPG (GnuPG-GNU Privacy Guard). PGP is an electronic privacy program which helps you ensure privacy by letting you encrypt files and e-mail. The encryption technology employed by PGP is very strong. However this uses algorithms patented by IDEA. GnuPG is a complete and free replacement for PGP. Because it does not use the patented IDEA algorithm, it can be used without any restrictions. Also GnuPG is a RFC2440 (OpenPGP) compliant application. We will discuss about how WoT is built using these algorithms (may be one of these preferably GPG) and is used for key generation, indentity verification and key signing.
Over the past twenty years, computer malware has evolved from simple computer programs capable of spreading on a single PC to complex software worms which can ravage entire computer networks. Much of the evolution of new computer virus threats has come from two major sources. First, as popular new computing platforms become available virus authors seek to exploit these platforms. Second, the co-evolution of anti-virus technology has spurred the development increasingly powerful, more complex malware threats. This talk will examine the co-evolution of both computer malware and antivirus detection algorithms, with the goal of giving the audience a deep technical understanding of how antivirus software detects threats, and how its had to change over the years to remain effective.
VoIP usage is exploding as an inexpensive mode of communication. This talk addresses some interesting and practical problems involved in setting up a VoIP client, constraints introduced by network protocols and network security devices like firewalls and NAT, and the solutions to overcome NAT.
The talk concludes with the proposed protocol standards to address the problems in the form of an integrated and elegant solution.
Transparent Data Encryption enables customers to encrypt data in columns without having to manage the encryption key. Businesses can protect sensitive data in their databases without having to make changes to their applications. The data columns can be encrypted using industry standard encryption algorithms such as AES and 3DES. Key Management is handled by the database. SQL interfaces to Key Management hide the complexity of encryption, and introduce "separation of duty" between security officers and database administrators.
Use of a clear text protocol like HTTP and accessibility over a public network make web applications a low hanging fruit for hackers. Moreover, firewalls cannot stop HTTP payloads, making it an increasingly popular vehicle for attacks. A large number of vulnerabilities in web applications are today exploited by such attacks, leading to a significant increase the liability and compliance burden for the host organization. This makes systematic security testing mandatory. In the past such security testing was considered as a 'black art' practiced by "pen testers". This talk covers various vulnerabilities and provides a systematic method of uncovering them. Various techniques for defense will also be presented.
Routers have evolved from workstations with no monitor and no key board to highly efficient hardware. Along the way security has become the most important feature of routers apart from routing it self. Security too evolved from simple software based filtering to highly specialized ASICs like Content-Addressable Memories (TCAM). This talk will cover the evolution of hardware based implementation of security in routers and switches. This will also cover representation and algorithms.
As more and more organizations start using data mining to help them with their business decisions, privacy concerns due to mining of private data are rising. Users are becoming more and more concerned about how the data that they provide to various organizations will be used by them. Organizations like Google, Amazon, E-Bay are already mining user information, and almost all companies now have privacy policies in place. In this talk we will see how is privacy really achieved currently, and the possible scenarios where this privacy will be violated. Finally, we will also look at what organizations should actually be doing to achieve privacy while doing mining of user information.
Bluetooth is a technology for short range wireless communication. Security is always a concern in wireless communication due to the inherent broadcast nature of the wireless medium. We can associate two categories of vulnerabilities with any protocol viz. vulnerabilities in the security mechanism specified by the protocol and vulnerabilities exposed as a result of improper implementation of the protocol. Loss of personal data, anonymous messaging, location tracking are some of the threats faced by users of Bluetooth devices as a result of such vulnerabilities. In this talk we analyze the Authentication & Encryption mechanism specified in the Bluetooth protocol and possible attacks that have been proposed in the literature along with proposed solutions to avoid such attacks.
XML is developing as a standard for data transfer between heterogeneous data sources. Use of Web services is increasing day by day. So as to satisfy the increasing demand for security of these XML based services, W3C has developed a "Web Service Security Standards" framework. XML Encrption specifies an XML-based syntax and processing rules for selectively encrypting particular XML nodes in an XML document. XML Signatures have the ability to sign only specific portions of the XML tree rather than the complete document. XML Key Management specifies protocols for distributing and registering public keys. WS Security provides a general-purpose mechanism for associating security tokens with messages and describes how to encode X.509 certificates and Kerberos tickets. WS-Trust, WS-Policy,WS-SecureConversation, WS-Privacy are other standards built on top of the above basic standards. In this talk, we will have an overview of these technologies for XML security.
Honeypots are closely monitored network decoys serving several purposes. They can distract adversaries from more valuable machines on a network, they can provide early warning about new attack and exploitation trends and they allow in-depth examination of adversaries during and after exploitation of a honeypot.
Honeypots are a highly flexible security tool with different applications for security. They don't fix a single problem. Instead they have multiple uses, such as prevention, detection, or information gathering. Honeypots all share the same concept: a security resource that should not have any production or authorized activity. In other words, deployment of honeypots in a network should not affect critical network services and applications. A honeypot is a security resource who's value lies in being probed, attacked, or compromised.
In our workshop we will be explaining the concept of security through the usage of honeypots. We will also demonstrate a couple of popular open source honeypots.